Survey: Microsoft bears some blame for worms

One-third of business users blame Microsoft for the recent worm outbreak, despite the company's security efforts, according to a poll.

Thirty-five percent of respondents to an informal Web survey of customers by security company Sophos said the software maker was ultimately at fault for the recent rash of worms spawned by variants of Zotob. In the poll results, released on Thursday, 45 percent placed the blame squarely on the virus writers, while 20 percent laid blame on their systems administrators for not patching systems fast enough.

"The majority of users believe that the virus writer has to take the ultimate blame for deliberately creating and unleashing this worm to wreak havoc on poorly protected business," Graham Cluley, Sophos senior technology consultant, said in a statement. "But what is most surprising is that so many people blame Microsoft for having the software flaw in the first place."

Microsoft is not alone. Companies are increasingly calling on software developers to improve their security battle-testing of products before release.

"No software is 100 percent secure, and this is collectively being felt by the industry," a Microsoft representative said Thursday. "Over the last year, Microsoft has made improvements with security."

The software giant, for example, has launched its Security Development Lifecycle, the representative said. The move modified Microsoft's software development process to improve the way it integrates security best practices from the get-go.

Microsoft has also seen security improvements with its Windows XP operating system and the Service Pack 2 update, analysts said.

In the most recent worm outbreak, malicious attackers began circulating variants of Zotob and other viruses that exploit a plug-and-play feature in some Windows versions. The onslaught came shortly after Microsoft's regular monthly patch release, which included a fix for the problem. The flaw allows remote attack in Windows 2000 and not Windows XP SP2, according to Microsoft.

"Microsoft is stuck between a rock and a hard place when it comes to vulnerabilities," Cluley said. "When it goes public about its security holes, a virus can be written to exploit them and many businesses may not have rolled out the patch. If it kept quiet...everyone would ask why Microsoft hadn't warned anyone of the vulnerability."